qualys was scan report - information technology scan report confidential and proprietary...
TRANSCRIPT
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Scan Report 08 Oct 2015
Vulnerabilities of all selected scans are consolidated into one report so that you can view their evolution.
Tim LeKan Northwestern University
nrthw_tl 1800 Sherman Ave Suite 209
Evanston, Illinois 60201United States of America
Target and Filters
Scans (1) Web Application Vulnerability Scan - Test Web Site 2 - 2015-10-08
Web Applications (1) Test Web Site 2
Status New, Active, Re-Opened
SummarySecurity Risk Vulnerabilities Sensitive
Contents
Information
Gathered
39 0 18
Findings by Severity
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Vulnerabilities by Status
Vulnerabilities by Group
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
OWASP Top 10 2013 Vulnerabilities
Scan Date Level 5 Level 4 Level 3 Level 2 Level 1 Sensitive Contents
Information Gathered
Web Application Vulnerability Scan - Test Web Site 2 - 2015-10-08
08 Oct 2015 10:10 GMT-0600
9 2 7 7 14 0 18
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Results(57)
Vulnerability (39)
Cross-Site Scripting (11)
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities (4)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities New
URL: http://demo.testfire.net/comment.aspx
Finding # 4849952(474978225) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.9
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter name of the form located in URL http://demo.testfire.net/feedback.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/feedback.aspx
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload "'><qss%20a=@REQUESTID@>
Request POST http://demo.testfire.net/comment.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responseef="default.aspx?content=inside_careers.htm">Careers</a></li> </ul> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Thank You</h1> <p>Thank you for your comments, "'><qss a=X149637348Y2Z>. They will be reviewed by our Customer Service staff and given the full attention that they deserve.</p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;"> <a id="_ctl0__ctl0_HyperLink5
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849971(474978244) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.9
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter uid of the form located in URL http://demo.testfire.net/bank/login.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload uid=%22%3E%3Cqss%3E&passw=password&btnSubmit=Login
Request POST http://demo.testfire.net/bank/login.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response/p>
<form action="login.aspx" method="post" name="login" id="login" onsubmit="return (confirminput(login));"> <table> <tr> <td> Username: </td> <td> <input type="text" id="uid" name="uid" value=""><qss>" style="width: 150px;"> </td> <td> </td> </tr> <tr> <td> Password: </td> <td> <input type="password" id="passw" name="passw" style="width: 150px;"> </td> </tr>
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities New
URL: http://demo.testfire.net/notfound.aspx?aspxerrorpath=/Privacypolicy.aspx
Finding # 4849979(474978252) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.9
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter aspxerrorpathThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/default.aspx?content=inside_careers.htmhttp://demo.testfire.net/Privacypolicy.aspx?sec=Careers&template=US
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload aspxerrorpath=%22%3E%3Cqss%3E
Request GET http://demo.testfire.net/notfound.aspx?aspxerrorpath=%22%3E%3Cqss%3E
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response</ul> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<p><span id="_ctl0__ctl0_Content_Main_error">Could not find the page you requested. <br><br><b>"><qss></b><br><br>Please check your spelling. If the spelling is correct and the page still does not exist contact the System Administrator.</span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;">
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150001 Reflected Cross-Site Scripting (XSS) Vulnerabilities New
URL: http://demo.testfire.net/search.aspx
Finding # 4849985(474978258) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.9
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contain characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used to as a part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter txtSearch of the form located in URL http://demo.testfire.net/The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload txtSearch=z--%3E%3Cqss%3E
Request GET http://demo.testfire.net/search.aspx?txtSearch=z--%3E%3Cqss%3E
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response
</ul> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search Results</h1>
<p>No results were found for the query:<br /><br /><span id="_ctl0__ctl0_Content_Main_lblSearch">z--><qss></span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;"> <a id="_ctl0__ctl0_HyperLink5" href="default.aspx?content=privacy.htm">Privacy Policy</a> | <a id="_
* The reflected string on the response webpage indicates that the vulnerability test was successful
150013 Browser-Specific Cross-Site Scripting Vulnerabilities (2)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150013 Browser-Specific Cross-Site Scripting Vulnerabilities New
URL: http://demo.testfire.net/notfound.aspx?aspxerrorpath=/Privacypolicy.aspx
Finding # 4849977(474978250) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal4.3
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contains characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in the HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Note! This specific test uses an XSS payload that takes advantage of Mozilla's HTML parsing engine. Manual confirmation of this vulnerability should use the Mozilla browser. Even though this exploits a particular Web browser, the Web application still has inadequate input filters.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code in the victim's Web browser. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash, and Java applets) can be used as part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter aspxerrorpathThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/default.aspx?content=inside_careers.htmhttp://demo.testfire.net/Privacypolicy.aspx?sec=Careers&template=US
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload aspxerrorpath=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20
Request GET http://demo.testfire.net/notfound.aspx?aspxerrorpath=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response
</td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<p><span id="_ctl0__ctl0_Content_Main_error">Could not find the page you requested. <br><br><b><script src=http://localhost/j </b><br><br>Please check your spelling. If the spelling is correct and the page still does not exist contact the System Administrator.</span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 9
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150013 Browser-Specific Cross-Site Scripting Vulnerabilities New
URL: http://demo.testfire.net/search.aspx
Finding # 4849983(474978256) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal4.3
Details
ThreatXSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message or display a home address when confirming a shipping destination. If the user-supplied data contains characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
The XSS payload is echoed in the HTML document returned by the request. An XSS payload may consist of HTML, JavaScript or other content that will be rendered by the browser. In order to exploit this vulnerability, a malicious user would need to trick a victim into visiting the URL with the XSS payload.
Note! This specific test uses an XSS payload that takes advantage of Mozilla's HTML parsing engine. Manual confirmation of this vulnerability should use the Mozilla browser. Even though this exploits a particular Web browser, the Web application still has inadequate input filters.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code in the victim's Web browser. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash, and Java applets) can be used as part of a compromise.
SolutionFilter all data collected from the client including user-supplied content and browser content such as Referrer and User-Agent headers.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
Detection Information
Parameter It has been detected by exploiting the parameter txtSearch of the form located in URL http://demo.testfire.net/The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload txtSearch=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20
Request GET http://demo.testfire.net/search.aspx?txtSearch=%3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsel> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search Results</h1>
<p>No results were found for the query:<br /><br /><span id="_ctl0__ctl0_Content_Main_lblSearch"><script src=http://localhost/j </span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;"> <a id="_ctl0__ctl0_HyperLink5" href="default.aspx?content=privacy.htm">Privacy Policy</a> |
* The reflected string on the response webpage indicates that the vulnerability test was successful
150076 DOM-Based Cross-Site Scripting (XSS) (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150076 DOM-Based Cross-Site Scripting (XSS) New
URL: http://demo.testfire.net/disclaimer.htm?url=http://www.microsoft.com
Finding # 4849982(474978255) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-8 Cross-Site Scripting
CVSS Base 4.3 CVSS Temporal3.7
Details
ThreatThis is a type of HTML injection that delivers an attack payload via a property of the browser's Document Object Model (DOM). The DOM represents the rendered form of a site's web page, such as frames, tables, forms, and text. The vulnerability occurs because a web page uses JavaScript to update the DOM with an attacker-influenced value that either changes the DOM's layout or executes JavaScript of the attacker's choosing. The following example demonstrates a DOM property, document.location, that is used to update the DOM via document.write. The exploit succeeds because the browser interprets the output of document.write as HTML, which the attacker uses to inject a Vulnerable web page: Other XSS vulnerabilities occur when the Web application echoes user-supplied data in an HTML response sent to the Web browser. For example, a Web application might include the user's name as part of a welcome message, or display a home address when confirming a shipping destination. If the user-supplied data contains characters that are interpreted as part of an HTML element instead of literal text, then an attacker can modify the HTML that is received by the victim's Web browser.
ImpactXSS exploits pose a significant threat to a Web application, its users and user data. XSS exploits target the users of a Web application rather than the Web application itself. An exploit can lead to theft of the user's credentials and personal or financial information. Complex exploits and attack scenarios are possible via XSS because it enables an attacker to execute dynamic code. Consequently, any capability or feature available to the Web browser (for example HTML, JavaScript, Flash and Java applets) can be used as part of a compromise.
SolutionClient-side JavaScript that uses document.write or otherwise modifies the DOM based on DOM properties such as document.location or window.location.href should filter content to ensure it does not contain malicious characters.
Any data collected from the client and displayed in a Web page should be HTML-encoded to ensure the content is rendered as text instead of an HTML element or JavaScript.
More information can be found at the OWASP community site.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/default.aspx?content=inside_contact.htm
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload #<script>qjsobject.reportDOMXSS()</script>
Request GET http://demo.testfire.net/disclaimer.htm?url=http://www.microsoft.com
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsesite: <br><br> <b><script>document.write(unescape(sDst));</script>http://www.microsoft.com#<script>qjsobject.reportDOMXSS()</script></b></p></td></tr></tbody></table></center></body></html>
150084 Unencoded characters (4)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150084 Unencoded characters New
URL: http://demo.testfire.net/comment.aspx
Finding # 4849951(474978224) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-20 Improper Input Handling
CVSS Base - CVSS Temporal-
Details
ThreatThe web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
ImpactNo exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
SolutionReview the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Detection Information
Parameter It has been detected by exploiting the parameter name of the form located in URL http://demo.testfire.net/feedback.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/feedback.aspx
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload cfile=comments.txt&name=%22'%3E%3C%3CSCRIPT%20a%3D2%3Eqss%3D7%3B%2F%2F%3C%3C%2FSCRIPT%3E&email_addr=123 Main
St.&subject=1&comments=1&reset=%20Clear%20Form%20&submit=%20Submit%20
Request POST http://demo.testfire.net/comment.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.
efault.aspx?content=inside_careers.htm">Careers</a></li> </ul> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Thank You</h1> <p>Thank you for your comments, "'><<SCRIPT a=2>qss=7;//<</SCRIPT>. They will be reviewed by our Customer Service staff and given the full attention that they deserve.</p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;"> <a id="_ctl0__ctl0_Hyper
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150084 Unencoded characters New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849970(474978243) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-20 Improper Input Handling
CVSS Base - CVSS Temporal-
Details
ThreatThe web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
ImpactNo exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
SolutionReview the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Detection Information
Parameter It has been detected by exploiting the parameter uid of the form located in URL http://demo.testfire.net/bank/login.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload uid=%3Cscript%20%3D%22%3E%22%20SRC%3D%2F%2Flocalhost%2Fj%3E&passw=password&btnSubmit=Login
Request POST http://demo.testfire.net/bank/login.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.
m action="login.aspx" method="post" name="login" id="login" onsubmit="return (confirminput(login));"> <table> <tr> <td> Username: </td> <td> <input type="text" id="uid" name="uid" value="<script =">" SRC=//localhost/j>" style="width: 150px;"> </td> <td> </td> </tr> <tr> <td> Password: </td> <td> <input type="password" id="passw" name="passw" style="width: 150px;"> </td>
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150084 Unencoded characters New
URL: http://demo.testfire.net/notfound.aspx?aspxerrorpath=/Privacypolicy.aspx
Finding # 4849978(474978251) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-20 Improper Input Handling
CVSS Base - CVSS Temporal-
Details
ThreatThe web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
ImpactNo exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
SolutionReview the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Detection Information
Parameter It has been detected by exploiting the parameter aspxerrorpathThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/default.aspx?content=inside_careers.htmhttp://demo.testfire.net/Privacypolicy.aspx?sec=Careers&template=US
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload aspxerrorpath=%22'%3E%3C%3CSCRIPT%20a%3D2%3Eqss%3D7%3B%2F%2F%3C%3C%2FSCRIPT%3E
Request GET http://demo.testfire.net/notfound.aspx?aspxerrorpath=%22'%3E%3C%3CSCRIPT%20a%3D2%3Eqss%3D7%3B%2F%2F%3C%3C%2FSCRIPT%3E
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.
</td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<p><span id="_ctl0__ctl0_Content_Main_error">Could not find the page you requested. <br><br><b>"'><<SCRIPT a=2>qss=7;//<</SCRIPT></b><br><br>Please check your spelling. If the spelling is correct and the page still does not exist contact the System Administrator.</span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width:
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150084 Unencoded characters New
URL: http://demo.testfire.net/search.aspx
Finding # 4849984(474978257) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Cross-Site Scripting Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-79 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A3 Cross-Site Scripting (XSS) Times Detected 1
WASC WASC-20 Improper Input Handling
CVSS Base - CVSS Temporal-
Details
ThreatThe web application reflects potentially dangerous characters such as single quotes, double quotes, and angle brackets. These characters are commonly used for HTML injection attacks such as cross-site scripting (XSS).
ImpactNo exploit was determined for these reflected characters. The input parameter should be manually analyzed to verify that no other characters can be injected that would lead to an HTML injection (XSS) vulnerability.
SolutionReview the reflected characters to ensure that they are properly handled as defined by the web application's coding practice. Typical solutions are to apply HTML encoding or percent encoding to the characters depending on where they are placed in the HTML. For example, a double quote might be encoded as " when displayed in a text node, but as %22 when placed in the value of an href attribute.
Detection Information
Parameter It has been detected by exploiting the parameter txtSearch of the form located in URL http://demo.testfire.net/The payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload txtSearch=%3C%0a%0dscript%20a%3D4%3Eqss%3D7%3C%0a%0d%2Fscript%3E
Request GET http://demo.testfire.net/search.aspx?txtSearch=%3C%0a%0dscript%20a%3D4%3Eqss%3D7%3C%0a%0d%2Fscript%3E
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: A significant portion of the XSS test payload appeared in the web page, but the page's DOM was not modified as expected for a successful exploit. This result should be manually verified to determine its accuracy.
</ul> </td> <td valign="top" colspan="3" class="bb">
<div class="fl" style="width: 99%;">
<h1>Search Results</h1>
<p>No results were found for the query:<br /><br /><span id="_ctl0__ctl0_Content_Main_lblSearch"><
script a=4>qss=7<
/script></span></p>
</div>
</td> </tr></table>
</div>
<div id="footer" style="width: 99%;"> <a id="_ctl0__ctl0_HyperLink5" href="default.aspx?content=privacy.htm">Privacy Policy</a> |
* The reflected string on the response webpage indicates that the vulnerability test was successful
SQL Injection (3)
150003 SQL Injection (2)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150003 SQL Injection New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849968(474978241) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group SQL Injection Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-89 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A1 Injection Times Detected 1
WASC WASC-19 SQL Injection
CVSS Base 10 CVSS Temporal8.5
Details
ThreatSQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.
Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed.
Examples:These two lines demonstrate an insecure query that is created by appending the user-supplied data (userid):dim strQuery as String strQuery = "SELECT name,email FROM users WHERE userid=" + Request.QueryString("userid")
If no checks are performed against the userid parameter, then the query may be arbitrarily modified as shown in these two examples of a completed query:SELECT name,email FROM users WHERE userid=42SELECT name,email FROM users WHERE userid=42; SHUTDOWN WITH NOWAIT
ImpactThe scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.
SolutionSQL injection vulnerabilities can be addressed in three areas: input validation, query creation, and database security.
All input received from the Web client should be validated for correct content. If a value's type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that make it a valid address; or numeric fields like a U.S. zip code should be limited to five digit values.
Prepared statements (sometimes referred to as parameterized statements) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries. These functions are more secure than string concatenation for assigning user-supplied data to a query.
Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call stored procedures should not be created via string concatenation, otherwise their security benefits are negated.
SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits.
Example of a secure query created with a prepared statement:PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1, userid);
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Detection Information
Parameter It has been detected by exploiting the parameter passw of the form located in URL http://demo.testfire.net/bank/login.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload uid=John&passw=z--%3E%3Cqss%3E&btnSubmit=Login
Request POST http://demo.testfire.net/bank/login.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response</tr> </table> </form></div>
<div id="wrapper" style="width: 99%;">
<div class="err" style="width: 99%;">
<h1>An Error Has Occurred</h1>
<h2>Summary:</h2>
<p><b><span id="_ctl0_Content_lblSummary">Syntax error in string in query expression 'username = 'John' AND password = 'z'.</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error in string in query expression 'username = 'John' AND pass
* The reflected string on the response webpage indicates that the vulnerability test was successful
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150003 SQL Injection New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849969(474978242) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group SQL Injection Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-89 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A1 Injection Times Detected 1
WASC WASC-19 SQL Injection
CVSS Base 10 CVSS Temporal8.5
Details
ThreatSQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.
Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed.
Examples:These two lines demonstrate an insecure query that is created by appending the user-supplied data (userid):dim strQuery as String strQuery = "SELECT name,email FROM users WHERE userid=" + Request.QueryString("userid")
If no checks are performed against the userid parameter, then the query may be arbitrarily modified as shown in these two examples of a completed query:SELECT name,email FROM users WHERE userid=42SELECT name,email FROM users WHERE userid=42; SHUTDOWN WITH NOWAIT
ImpactThe scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.
SolutionSQL injection vulnerabilities can be addressed in three areas: input validation, query creation, and database security.
All input received from the Web client should be validated for correct content. If a value's type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that make it a valid address; or numeric fields like a U.S. zip code should be limited to five digit values.
Prepared statements (sometimes referred to as parameterized statements) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries. These functions are more secure than string concatenation for assigning user-supplied data to a query.
Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call stored procedures should not be created via string concatenation, otherwise their security benefits are negated.
SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits.
Example of a secure query created with a prepared statement:PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1, userid);
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Detection Information
Parameter It has been detected by exploiting the parameter uid of the form located in URL http://demo.testfire.net/bank/login.aspxThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload uid=%22'%3E%3Cqss%20%60%3b!--%3D%26%7b()%7d%3E&passw=password&btnSubmit=Login
Request POST http://demo.testfire.net/bank/login.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responseerror (missing operator) in query expression 'username = '"'><qss `;!'.</span></b></p>
<h2>Error Message:</h2>
<p><span id="_ctl0_Content_lblDetails">System.Data.OleDb.OleDbException: Syntax error (missing operator) in query expression 'username = '"'><qss `;!'. at System.Data.OleDb.OleDbCommand.ExecuteCommandTextErrorHandling(OleDbHResult hr) at System.Data.OleDb.OleDbCommand.ExecuteCommandTextForSingleResult(tagDBPARAMS dbParams, Object& executeResult)
* The reflected string on the response webpage indicates that the vulnerability test was successful
150093 SQL Injection in Web Service call (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150093 SQL Injection in Web Service call New
URL: http://demo.testfire.net/bank/ws.asmx?wsdl
Finding # 4849950(474978223) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group SQL Injection Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A1 Injection Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatSQL injection enables an attacker to modify the syntax of a SQL query in order to retrieve, corrupt or delete data. This is accomplished by manipulating query criteria in a manner that affects the query's logic. The typical causes of this vulnerability are lack of input validation and insecure construction of the SQL query.
Queries created by concatenating strings with SQL syntax and user-supplied data are prone to this vulnerability. If any part of the string concatenation can be modified, then the meaning of the query can be changed.
Examples:These two lines demonstrate an insecure query that is created by appending the user-supplied data (userid):dim strQuery as String strQuery = "SELECT name,email FROM users WHERE userid=" + Request.QueryString("userid")
If no checks are performed against the userid parameter, then the query may be arbitrarily modified as shown in these two examples of a completed query:SELECT name,email FROM users WHERE userid=42SELECT name,email FROM users WHERE userid=42; SHUTDOWN WITH NOWAIT
ImpactThe scope of a SQL injection exploit varies greatly. If any SQL statement can be injected into the query, then the attacker has the equivalent access of a database administrator. This access could lead to theft of data, malicious corruption of data, or deletion of data.
SolutionSQL injection vulnerabilities can be addressed in three areas: input validation, query creation, and database security.
All input received from the Web client should be validated for correct content. If a value's type or content range is known beforehand, then stricter filters should be applied. For example, an email address should be in a specific format and only contain characters that make it a valid address; or numeric fields like a U.S. zip code should be limited to five digit values.
Prepared statements (sometimes referred to as parameterized statements) provide strong protection from SQL injection. Prepared statements are precompiled SQL queries whose parameters can be modified when the query is executed. Prepared statements enforce the logic of the query and will fail if the query cannot be compiled correctly. Programming languages that support prepared statements provide specific functions for creating queries. These functions are more secure than string concatenation for assigning user-supplied data to a query.
Stored procedures are precompiled queries that reside in the database. Like prepared statements, they also enforce separation of query data and logic. SQL statements that call stored procedures should not be created via string concatenation, otherwise their security benefits are negated.
SQL injection exploits can be mitigated by the use of Access Control Lists or role-based access within the database. For example, a read-only account would prevent an attacker from modifying data, but would not prevent the user from viewing unauthorized data. Table and row-based access controls potentially minimize the scope of a compromise, but they do not prevent exploits.
Example of a secure query created with a prepared statement:PreparedStatement ps = "SELECT name,email FROM users WHERE userid=?"; ps.setInt(1, userid);
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Detection Information
Parameter It has been detected by exploiting the parameter UserId of the form located in URL trueThe payloads section will display a list of tests that show how the param could have been exploited to collect the information
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload <script%20src=http://localhost/j%20
Request POST http://demo.testfire.net/bank/ws.asmx?WSDL
#1 Content-Type: text/xml; charset=utf-8 #2 Referer: http://demo.testfire.net/ #3 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responseap/envelope/" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema"><soap:Body><soap:Fault><faultcode>soap:Server</faultcode><faultstring>Server was unable to process request. ---> Syntax error in string in query expression 'userid = %3Cscript%20src%3Dhttp%3A%2F%2Flocalhost%2Fj%20'.</faultstring><detail /></soap:Fault></soap:Body></soap:Envelope>
* The reflected string on the response webpage indicates that the vulnerability test was successful
Path Disclosure (2)
150004 Path-Based Vulnerability (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150004 Path-Based Vulnerability New
URL: http://demo.testfire.net/bank/.
Finding # 4849981(474978254) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Path Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-22 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A4 Insecure Direct Object ReferencesA7 Missing Function Level Access Control
Times Detected 1
WASC WASC-15 Application MisconfigurationWASC-16 Directory IndexingWASC-17 Improper Filesystem Permissions
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatA potentially sensitive file, directory, or directory listing was discovered on the Web server.
ImpactThe contents of this file or directory may disclose sensitive information.
SolutionVerify that access to this file or directory is permitted. If necessary, remove it or apply access controls to it.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/bank/.
#1 Referer: http://demo.testfire.net/ #2 Cookie: amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: This directory was discovered during the crawl phase.
<html><head><title>demo.testfire.net - /bank/</title></head><body><H1>demo.testfire.net - /bank/</H1><hr>
<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/10/2015 4:25 AM <dir> <A HREF="/bank/20060308_bak/">20060308_bak</A><br>11/20/2006 10:05 AM 1831 <A HREF="/bank/account.aspx">account.aspx</A><br> 6/18/2015 7:41 PM 5067 <A HREF="/bank/account.aspx.cs">account.aspx.cs</A><br>11/20/2006 10:05 AM 771 <A HREF="/bank/apply.aspx">apply.aspx</A><br>11/2
150023 Directory Listing (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150023 Directory Listing New
URL: http://demo.testfire.net/bank/.
Finding # 4849980(474978253) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Path Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-22 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A4 Insecure Direct Object ReferencesA5 Security Misconfiguration
Times Detected 1
WASC WASC-16 Directory Indexing
CVSS Base 5 CVSS Temporal4.5
Details
ThreatThe Web server presents a directory listing.
ImpactAll file names in this directory are exposed.
SolutionThe presence of a browseable directory does not necessarily imply a vulnerability. Determine if the directory listing is intended to be displayed. Verify that no files in the directory contain content that should not be served by the Web application.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload @PATH@.
Request GET http://demo.testfire.net/bank/.
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Response<html><head><title>demo.testfire.net - /bank/</title></head><body><H1>demo.testfire.net - /bank/</H1><hr>
<pre><A HREF="/">[To Parent Directory]</A><br><br> 5/10/2015 4:25 AM <dir> <A HREF="/bank/20060308_bak/">20060308_bak</A><br>11/20/2006 10:05 AM 1831 <A HREF="/bank/account.aspx">account.aspx</A><br> 6/18/2015 7:41 PM 5067 <A HREF="/bank/account.aspx.cs">account.aspx.cs</A><br>11/20/2006 10:05 AM 771 <A HREF="/bank/apply.aspx">apply.aspx</A><br>11/2
* The reflected string on the response webpage indicates that the vulnerability test was successful
Information Disclosure (23)
150049 Login Brute Force Vulnerability (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150049 Login Brute Force Vulnerability New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849967(474978240) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE CWE-285 Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session Management Times Detected 1
WASC WASC-11 Brute Force
CVSS Base 7.5 CVSS Temporal7.1
Details
ThreatThis vulnerability occurs when a malicious user succeeds to guess a valid username and password that will enable them to authenticate illicitly to a Web application.
The username and password would be "guessed" based on a generated list that can come from two sources: a user-defined configuration, or an internal list provided by the WAS module based on the most common usernames and passwords.
ImpactThe consequences will vary depending on which account the malicious user found. Obviously if the admin account has been found this way the consequences are much higher than a guest account.
Examples of consequences:Administration rights on the Web siteIdentity theftAccess to critical business related data
SolutionImplement a mechanism that will limit the number of attempts for a given username. This will prevent any brute forcer to test for more complex passwords.
Enforce a password policy that will make sure that the password is complex enough to prevent any easy guess (password equals username, or is a number, or a dictionary word). It is really important because if a password can be guessed in one attempt (for example, password equals username) then any limitation of number of attempts would useless.
It is recommended that a password has at least 8 characters containing numbers and special characters. Avoid replacing a letter that looks like a number by its corresponding number (for example, o with zero, e with 3) since many brute forcers do check for them.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
#1 RequestPayload uid=admin&passw=a****&btnSubmit=Login
Request POST http://demo.testfire.net/bank/login.aspx
#1 Referer: http://demo.testfire.net/
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseUsername: adminPassword: a****
150053 Login Form Is Not Submitted Via HTTPS (1)
150053 Login Form Is Not Submitted Via HTTPS New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849973(474978246) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session ManagementA6 Sensitive Data Exposure
Times Detected 1
WASC -
CVSS Base 8.5 CVSS Temporal7.2
Details
ThreatThe login form's default action contains a link that is not submitted via HTTPS (HTTP over SSL).
ImpactSensitive data such as authentication credentials should be encrypted when transmitted over the network. Otherwise they are exposed to sniffing attacks.
SolutionChange the login form's action to submit via HTTPS.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request POST http://demo.testfire.net/bank/login.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsecomment: Parent URL of Login Form is : http://demo.testfire.net/bank/login.aspxLogin Form Is Not Submitted Via HTTPS
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150085 Slow HTTP POST vulnerability (1)
150085 Slow HTTP POST vulnerability New
URL: http://demo.testfire.net/search.aspx
Finding # 4849976(474978249) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A5 Security Misconfiguration Times Detected 1
WASC -
CVSS Base 6.8 CVSS Temporal6.1
Details
ThreatThe web application is possibly vulnerable to a "slow HTTP POST" Denial of Service (DoS) attack. This is an application-level DoS that consumes server resources by maintaining open connections for an extended period of time by slowly sending traffic to the server. If the server maintains too many connections open at once, then it may not be able to respond to new, legitimate connections. Unlike bandwidth-consumption DoS attacks, the "slow" attack does not require a large amount of traffic to be sent to the server -- only that the client is able to maintain open connections for several minutes at a time. The attack holds server connections open by sending properly crafted HTTP POST headers that contain a Content-Length header with a large value to inform the web server how much of data to expect. After the HTTP POST headers are fully sent, the HTTP POST message body is sent at slow speeds to prolong the completion of the connection and lock up server resources. By waiting for the complete request body, the server is helping clients with slow or intermittent connections to complete requests, but is also exposing itself to abuse. More information can be found at the in this presentation.
ImpactAll other services remain intact but the web server itself becomes inaccessible.
SolutionSolution would be server-specific, but general recommendations are: - to limit the size of the acceptable request to each form requirements - establish minimal acceptable speed rate - establish absolute request timeout for connection with POST request Server-specific details can be found here. A tool that demonstrates this vulnerability in a more intrusive manner is available here.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request POST http://demo.testfire.net/search.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseVulnerable to slow HTTP POST attack Connection with partial POST body remained open for: 135481 milliseconds Server resets timeout after accepting request data from peer.
150124 Clickjacking - Framable Page (5)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150124 Clickjacking - Framable Page New
URL: http://demo.testfire.net/default.aspx?content=personal_deposit.htm
Finding # 4849947(474978220) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatThe page can be easily framed. Anti-framing measures are not used.
ImpactClickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
SolutionTwo of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/default.aspx?content=business.htm
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe URI was framed.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150124 Clickjacking - Framable Page New
URL: http://demo.testfire.net/default.aspx
Finding # 4849954(474978227) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatThe page can be easily framed. Anti-framing measures are not used.
ImpactClickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
SolutionTwo of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/default.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe URI was framed.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150124 Clickjacking - Framable Page New
URL: http://demo.testfire.net/
Finding # 4849959(474978232) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatThe page can be easily framed. Anti-framing measures are not used.
ImpactClickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
SolutionTwo of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe URI was framed.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150124 Clickjacking - Framable Page New
URL: http://demo.testfire.net/feedback.aspx
Finding # 4849964(474978237) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatThe page can be easily framed. Anti-framing measures are not used.
ImpactClickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
SolutionTwo of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/feedback.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe URI was framed.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150124 Clickjacking - Framable Page New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849974(474978247) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.9
Details
ThreatThe page can be easily framed. Anti-framing measures are not used.
ImpactClickjacking and Cross-Site Request Forgery (CSRF) can be performed by framing the target site. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
SolutionTwo of the most popular prevention are: X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page. Framekiller: JavaScript code that prevents the malicious user from framing the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/bank/login.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe URI was framed.
150112 Sensitive form field has not disabled autocomplete (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150112 Sensitive form field has not disabled autocomplete New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849972(474978245) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A5 Security Misconfiguration Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatAn HTML form that collects sensitive information (such as a password field) does not prevent the browser from prompting the user to save the populated values for late reuse. Stored credentials should not be available to anyone but their owner.
ImpactIf the browser is used in a shared computing environment where more than one person may use the browser, then "autocomplete" values may be submitted by an unauthorized user. For example, if a browser saves the login name and password for a form, then anyone with access to the browser may submit the form and authenticate to the site without having to know the victim's password.
SolutionAdd the following attribute to the form or input element: autocomplete="off" This attribute prevents the browser from prompting the user to save the populated form values for later reuse.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request POST http://demo.testfire.net/bank/login.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe following password field(s) in the form do not set autocomplete="off":(Field name: passw, Field id: passw)Parent URL of form is: http://demo.testfire.net/bank/login.aspx
150122 Cookie Does Not Contain The "secure" Attribute (2)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150122 Cookie Does Not Contain The "secure" Attribute New
URL: http://demo.testfire.net/
Finding # 4849958(474978231) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session ManagementA6 Sensitive Data Exposure
Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatThe cookie does not contain the "secure" attribute.
ImpactCookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
SolutionIf the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseASP.NET_SessionId=vvdt2455rgmjcz312m2mamep; path=/; domain=demo.testfire.net; httponly
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150122 Cookie Does Not Contain The "secure" Attribute New
URL: http://demo.testfire.net/bank/customize.aspx
Finding # 4849962(474978235) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session ManagementA6 Sensitive Data Exposure
Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatThe cookie does not contain the "secure" attribute.
ImpactCookies with the "secure" attribute are only permitted to be sent via HTTPS. Session cookies sent via HTTP expose an unsuspecting user to sniffing attacks that could lead to user impersonation or compromise of the application account.
SolutionIf the associated risk of a compromised account is high, apply the "secure" attribute to cookies and force all sensitive requests to be sent via HTTPS.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/bank/customize.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responselang=; path=/; domain=demo.testfire.net
150123 Cookie Does Not Contain The "HTTPOnly" Attribute (2)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150123 Cookie Does Not Contain The "HTTPOnly" Attribute New
URL: http://demo.testfire.net/
Finding # 4849957(474978230) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session Management Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatThe cookie does not contain the "HTTPOnly" attribute.
ImpactCookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.
SolutionIf the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseamSessionId=15130676; path=/; domain=demo.testfire.net
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150123 Cookie Does Not Contain The "HTTPOnly" Attribute New
URL: http://demo.testfire.net/bank/customize.aspx
Finding # 4849961(474978234) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP A2 Broken Authentication and Session Management Times Detected 1
WASC -
CVSS Base - CVSS Temporal-
Details
ThreatThe cookie does not contain the "HTTPOnly" attribute.
ImpactCookies without the "HTTPOnly" attribute are permitted to be accessed via JavaScript. Cross-site scripting attacks can steal cookies which could lead to user impersonation or compromise of the application account.
SolutionIf the associated risk of a compromised account is high, apply the "HTTPOnly" attribute to cookies.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/bank/customize.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responselang=; path=/; domain=demo.testfire.net
150059 Reference to Windows file path is present in HTML (5)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150059 Reference to Windows file path is present in HTML New
URL: http://demo.testfire.net/default.aspx?content=inside_volunteering.htm
Finding # 4849949(474978222) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 5 CVSS Temporal3.8
Details
ThreatWindows specific file path was detected in the response.
ImpactThe response may be an error response that disclosed a local file path. This may potentially be a sensitive information.
SolutionThe content should be reviewed to determine whether it could be masked or removed.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/default.aspx?content=inside.htmhttp://demo.testfire.net/default.aspx?content=inside_community.htm
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/default.aspx?content=inside_volunteering.htm
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseC:\Documents\JohnSmith\VoluteeringInformation.pdf
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150059 Reference to Windows file path is present in HTML New
URL: http://demo.testfire.net/comment.aspx
Finding # 4849953(474978226) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 5 CVSS Temporal3.8
Details
ThreatWindows specific file path was detected in the response.
ImpactThe response may be an error response that disclosed a local file path. This may potentially be a sensitive information.
SolutionThe content should be reviewed to determine whether it could be masked or removed.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/feedback.aspx
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/comment.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsec:\downloads\AltoroMutual_v6\website\comment.aspx.cs
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150059 Reference to Windows file path is present in HTML New
URL: http://demo.testfire.net/bank/queryxpath.aspx
Finding # 4849956(474978229) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 5 CVSS Temporal3.8
Details
ThreatWindows specific file path was detected in the response.
ImpactThe response may be an error response that disclosed a local file path. This may potentially be a sensitive information.
SolutionThe content should be reviewed to determine whether it could be masked or removed.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/bank/login.aspx
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/bank/queryxpath.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: lang=; amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsec:\downloads\AltoroMutual_v6\website\bank\bank.master.cs
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150059 Reference to Windows file path is present in HTML New
URL: http://demo.testfire.net/bank/customize.aspx
Finding # 4849963(474978236) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 5 CVSS Temporal3.8
Details
ThreatWindows specific file path was detected in the response.
ImpactThe response may be an error response that disclosed a local file path. This may potentially be a sensitive information.
SolutionThe content should be reviewed to determine whether it could be masked or removed.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/http://demo.testfire.net/bank/login.aspx
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/bank/customize.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 Responsec:\downloads\AltoroMutual_v6\website\bank\bank.master.cs
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150059 Reference to Windows file path is present in HTML New
URL: http://demo.testfire.net/feedback.aspx
Finding # 4849966(474978239) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 5 CVSS Temporal3.8
Details
ThreatWindows specific file path was detected in the response.
ImpactThe response may be an error response that disclosed a local file path. This may potentially be a sensitive information.
SolutionThe content should be reviewed to determine whether it could be masked or removed.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload -
Request GET http://demo.testfire.net/feedback.aspx
#1 Referer: http://demo.testfire.net/ #2 Cookie: amSessionId=15130676; ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep;
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseL:\backup\website\oldfiles
150081 Clickjacking - X-Frame-Options header is not set (5)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150081 Clickjacking - X-Frame-Options header is not set New
URL: http://demo.testfire.net/default.aspx?content=personal_deposit.htm
Finding # 4849948(474978221) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.7
Details
ThreatX-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
ImpactAttacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.
SolutionSet the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/default.aspx?content=inside.htm
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150081 Clickjacking - X-Frame-Options header is not set New
URL: http://demo.testfire.net/default.aspx
Finding # 4849955(474978228) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.7
Details
ThreatX-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
ImpactAttacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.
SolutionSet the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/default.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150081 Clickjacking - X-Frame-Options header is not set New
URL: http://demo.testfire.net/
Finding # 4849960(474978233) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.7
Details
ThreatX-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
ImpactAttacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.
SolutionSet the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150081 Clickjacking - X-Frame-Options header is not set New
URL: http://demo.testfire.net/feedback.aspx
Finding # 4849965(474978238) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.7
Details
ThreatX-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
ImpactAttacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.
SolutionSet the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/feedback.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150081 Clickjacking - X-Frame-Options header is not set New
URL: http://demo.testfire.net/bank/login.aspx
Finding # 4849975(474978248) First Time Detected 08 Oct 2015 10:10 GMT-0600
Group Information Disclosure Last Time Detected 08 Oct 2015 10:10 GMT-0600
CWE - Last Time Tested 08 Oct 2015 10:10 GMT-0600
OWASP - Times Detected 1
WASC -
CVSS Base 2.1 CVSS Temporal1.7
Details
ThreatX-Frame-Options header is not set, and that may lead to a possible framing of the page. An attack can trick the user into clicking on the link by framing the original page and showing a layer on top of it with dummy buttons.
ImpactAttacks like Clickjacking and Cross-Site Request Forgery (CSRF) could be performed.
SolutionSet the X-Frame-Options: This header works with modern browsers and can be used to prevent framing of the page. Note that is must be an HTTP header, the setting is ignored if it is created as an "http-equiv" meta element within the page.
Detection Information
Parameter No param has been required for detecting the information.
Authentication In order to detect this vulnerability, no authentication has been required.
Access Path Here is the path followed by the scanner to reach the exploitable URL:
http://demo.testfire.net/
Payloads
#1 RequestPayload N/A
Request GET http://demo.testfire.net/bank/login.aspx
Click this link to try to reproduce the vulnerability using above payload.Note that clicking this link may not lead to visible results, either because the vulnerability requires context to be previously set (authentication, cookies...) or because the exploitation of the vulnerability does not lead to any visible proof.
#1 ResponseThe response for this request either did not have an "X-FRAME-OPTIONS" header present or was not set to DENY or SAMEORIGIN
Information Gathered (18)
Information Gathered (18)
150042 Server Returns HTTP 500 Message For Request (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150042 Server Returns HTTP 500 Message For Request
Finding # 1362946(474978216) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP A6 Sensitive Data Exposure
WASC WASC-15 Application Misconfiguration
Details
ThreatDuring the scanning engine's crawl phase, the Web server responded with an HTTP 500 message for each link listed below. The HTTP 500 message indicates a server error.
ImpactThe presence of an HTTP 500 error during the crawl phase indicates that some problem exists in the Web site that will be encountered during normal usage of the Web application.
SolutionReview each link to determine why the server encountered an error when responding to the link.
Results
http://demo.testfire.net/bank/customize.aspxhttp://demo.testfire.net/bank/queryxpath.aspxhttp://demo.testfire.net/comment.aspxhttp://demo.testfire.net/default.aspx?content=personal_savings.htm
150086 Server accepts unnecessarily large POST request body (1)
150086 Server accepts unnecessarily large POST request body
Finding # 1362935(474977205) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP A5 Security Misconfiguration
WASC -
Details
ThreatWeb application scanner successfully sent a POST request with content type of application/x-www-form-urlencoded and 65536 bytes length random text data. Accepting request bodies with unnecessarily large size could help attacker to use less connections to achieve Layer 7 DDoS of web server. More information can be found at the here
ImpactCould result in successful application level (Layer 7) DDoS attack.
SolutionLimit the size of the request body to each form's requirements. For example, a search form with 256-char search field should not accept more than 1KB value. Server-specific details can be found here.
Results
Server responded 200 to unnecessarily large random request body(over 64 KB) for URL http://demo.testfire.net/search.aspx, significantly increasing attacker's chances to prolong slow HTTP POST attack.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
45017 Operating System Detected (1)
45017 Operating System Detected
Finding # 1362947(474978217) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatSeveral different techniques can be used to identify the operating system (OS) running on a host. A short description of these techniques is provided below. The specific technique used to identify the OS on this host is included in the RESULTS section of your report.
1) TCP/IP Fingerprint: The operating system of a host can be identified from a remote system using TCP/IP fingerprinting. All underlying operating system TCP/IP stacks have subtle differences that can be seen in their responses to specially-crafted TCP packets. According to the results of this "fingerprinting" technique, the OS version is among those listed below.
Note that if one or more of these subtle differences are modified by a firewall or a packet filtering device between the scanner and the host, the fingerprinting technique may fail. Consequently, the version of the OS may not be detected correctly. If the host is behind a proxy-type firewall, the version of the operating system detected may be that for the firewall instead of for the host being scanned.
2) NetBIOS: Short for Network Basic Input Output System, an application programming interface (API) that augments the DOS BIOS by adding special functions for local-area networks (LANs). Almost all LANs for PCs are based on the NetBIOS. Some LAN manufacturers have even extended it, adding additional network capabilities. NetBIOS relies on a message format called Server Message Block (SMB).
3) PHP Info: PHP is a hypertext pre-processor, an open-source, server-side, HTML-embedded scripting language used to create dynamic Web pages. Under some configurations it is possible to call PHP functions like phpinfo() and obtain operating system information.
4) SNMP: The Simple Network Monitoring Protocol is used to monitor hosts, routers, and the networks to which they attach. The SNMP service maintains Management Information Base (MIB), a set of variables (database) that can be fetched by Managers. These include "MIB_II.system.sysDescr" for the operating system.
ImpactNot applicable.
SolutionNot applicable.
Results
Operating System Technique ID
Windows Vista / Windows 2008 / Windows 7 / Windows 2012 TCP/IP Fingerprint U3675:80
150018 Connection Error Occurred During Web Application Scan (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150018 Connection Error Occurred During Web Application Scan
Finding # 1362932(474977202) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatSome of requests timed out or unexpected errors were detected in the connection while crawling or scanning the Web application.
ImpactSome of the links were not crawled or scanned. Results may be incomplete or incorrect.
SolutionInvestigate the root cause of failure accessing the listed links.
Results
Total number of unique links that encountered unexpected errors: 1Links with highest number of unexpected errors: 1 http://demo.testfire.net/cgi.exe
Phase wise summary of timeout and unexpected errors encountered: ePhaseCrawl : 0 1
6 DNS Host Name (1)
6 DNS Host Name
Finding # 1362937(474977207) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe fully qualified domain name of this host, if it was obtained from a DNS server, is displayed in the RESULT section.
Results
IP address Host name
65.61.137.117 No registered hostname
45038 Host Scan Time (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
45038 Host Scan Time
Finding # 1362942(474978212) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe Host Scan Time is the period of time it takes the scanning engine to perform the vulnerability assessment of a single target host. The Host Scan Time for this host is reported in the Result section below.
The Host Scan Time does not have a direct correlation to the Duration time as displayed in the Report Summary section of a scan results report. The Duration is the period of time it takes the service to perform a scan task. The Duration includes the time it takes the service to scan all hosts, which may involve parallel scanning. It also includes the time it takes for a scanner appliance to pick up the scan task and transfer the results back to the service's Secure Operating Center. Further, when a scan task is distributed across multiple scanners, the Duration includes the time it takes to perform parallel host scanning on all scanners.
ImpactN/A
SolutionN/A
Results
Scan duration: 1411 seconds
Start time: Thu, Oct 08 2015, 15:10:34 GMT
End time: Thu, Oct 08 2015, 15:34:05 GMT
150009 Links Crawled (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150009 Links Crawled
Finding # 1362948(474978218) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe list of unique links crawled and HTML forms submitted by the Web application scanner appear in the Results section. This list may contain fewer links than the maximum threshold defined at scan launch. The maximum links to crawl includes links in this list and requests for the same link made as an anonymous and authenticated user.
ImpactN/A
SolutionN/A
Results
Duration of crawl phase (seconds): 263.00Number of links: 85(This number excludes form requests and links re-requested during authentication.)
http://demo.testfire.net/http://demo.testfire.net/Privacypolicy.aspx?sec=Careers&template=UShttp://demo.testfire.net/altoro/images/gradient.jpghttp://demo.testfire.net/bank/20060308_bak/http://demo.testfire.net/bank/account.aspxhttp://demo.testfire.net/bank/account.aspx.cshttp://demo.testfire.net/bank/apply.aspx.cshttp://demo.testfire.net/bank/bank.masterhttp://demo.testfire.net/bank/bank.master.cshttp://demo.testfire.net/bank/customize.aspxhttp://demo.testfire.net/bank/customize.aspx.cshttp://demo.testfire.net/bank/login.aspxhttp://demo.testfire.net/bank/login.aspx.cshttp://demo.testfire.net/bank/main.aspxhttp://demo.testfire.net/bank/main.aspx.cshttp://demo.testfire.net/bank/members/http://demo.testfire.net/bank/queryxpath.aspxhttp://demo.testfire.net/bank/queryxpath.aspx.cshttp://demo.testfire.net/bank/servererror.aspxhttp://demo.testfire.net/bank/transaction.aspxhttp://demo.testfire.net/bank/transaction.aspx.cshttp://demo.testfire.net/bank/transfer.aspx.cshttp://demo.testfire.net/bank/ws.asmxhttp://demo.testfire.net/bank/ws.asmx?WSDLhttp://demo.testfire.net/bank/ws.asmx?discohttp://demo.testfire.net/bank/ws.asmx?op=GetUserAccountshttp://demo.testfire.net/bank/ws.asmx?op=IsValidUserhttp://demo.testfire.net/bank/ws.asmx?op=TransferBalancehttp://demo.testfire.net/comment.aspxhttp://demo.testfire.net/default.aspxhttp://demo.testfire.net/default.aspx?content=business.htmhttp://demo.testfire.net/default.aspx?content=business_cards.htmhttp://demo.testfire.net/default.aspx?content=business_deposit.htmhttp://demo.testfire.net/default.aspx?content=business_insurance.htmhttp://demo.testfire.net/default.aspx?content=business_lending.htmhttp://demo.testfire.net/default.aspx?content=business_other.htmhttp://demo.testfire.net/default.aspx?content=business_retirement.htmhttp://demo.testfire.net/default.aspx?content=inside.htmhttp://demo.testfire.net/default.aspx?content=inside_about.htmhttp://demo.testfire.net/default.aspx?content=inside_benefits.htmhttp://demo.testfire.net/default.aspx?content=inside_careers.htmhttp://demo.testfire.net/default.aspx?content=inside_community.htmhttp://demo.testfire.net/default.aspx?content=inside_contact.htmhttp://demo.testfire.net/default.aspx?content=inside_executives.htmhttp://demo.testfire.net/default.aspx?content=inside_internships.htmhttp://demo.testfire.net/default.aspx?content=inside_investor.htm
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
http://demo.testfire.net/default.aspx?content=inside_jobs.htmhttp://demo.testfire.net/default.aspx?content=inside_press.htmhttp://demo.testfire.net/default.aspx?content=inside_trainee.htmhttp://demo.testfire.net/default.aspx?content=inside_volunteering.htmhttp://demo.testfire.net/default.aspx?content=jobs/20061024.htmhttp://demo.testfire.net/default.aspx?content=jobs/20061025.htmhttp://demo.testfire.net/default.aspx?content=jobs/20061027.htmhttp://demo.testfire.net/default.aspx?content=personal.htmhttp://demo.testfire.net/default.aspx?content=personal_cards.htmhttp://demo.testfire.net/default.aspx?content=personal_checking.htmhttp://demo.testfire.net/default.aspx?content=personal_deposit.htmhttp://demo.testfire.net/default.aspx?content=personal_investments.htmhttp://demo.testfire.net/default.aspx?content=personal_loans.htmhttp://demo.testfire.net/default.aspx?content=personal_other.htmhttp://demo.testfire.net/default.aspx?content=personal_savings.htmhttp://demo.testfire.net/default.aspx?content=pr/20060413.htmhttp://demo.testfire.net/default.aspx?content=pr/20060518.htmhttp://demo.testfire.net/default.aspx?content=pr/20060720.htmhttp://demo.testfire.net/default.aspx?content=pr/20060817.htmhttp://demo.testfire.net/default.aspx?content=pr/20060921.htmhttp://demo.testfire.net/default.aspx?content=pr/20060928.htmhttp://demo.testfire.net/default.aspx?content=pr/20061005.htmhttp://demo.testfire.net/default.aspx?content=pr/20061109.htmhttp://demo.testfire.net/default.aspx?content=privacy.htmhttp://demo.testfire.net/default.aspx?content=security.htmhttp://demo.testfire.net/disclaimer.htm?url=http://www.microsoft.comhttp://demo.testfire.net/disclaimer.htm?url=http://www.netscape.comhttp://demo.testfire.net/feedback.aspxhttp://demo.testfire.net/high_yield_investments.htmhttp://demo.testfire.net/images/b_retirement.jpghttp://demo.testfire.net/inside_points_of_interest.htmhttp://demo.testfire.net/notfound.aspx%3Faspxerrorpath=/Privacypolicy.aspxhttp://demo.testfire.net/notfound.aspx?aspxerrorpath=/Privacypolicy.aspxhttp://demo.testfire.net/retirement.htmhttp://demo.testfire.net/search.aspxhttp://demo.testfire.net/security.htmhttp://demo.testfire.net/subscribe.swfhttp://demo.testfire.net/survey_questions.aspxhttp://demo.testfire.net/survey_questions.aspx?step=a
150010 External Links Discovered (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150010 External Links Discovered
Finding # 1362945(474978215) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe external links discovered by the Web application scanning engine are provided in the Results section. These links were present on the target Web application, but were not crawled.
ImpactN/A
SolutionN/A
Results
Number of links: 9http://www.adobe.com/products/acrobat/readstep2.htmlhttp://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cabhttp://www.cert.org/http://www.newspapersyndications.tv/http://demo-analytics.testfire.net/urchin.jsfile:///C:%5CDocuments%5CJohnSmith%5CVoluteeringInformation.pdffile:///C:%5Cmy%20documents%5CJohnSmith%5CBank%20Site%20Documents%5Cgrouplife.htmhttp://www.macromedia.com/go/getflashplayerhttp://www.watchfire.com/statements/terms.aspx
150021 Scan Diagnostics (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150021 Scan Diagnostics
Finding # 1362938(474977208) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThis check provides various details of the scan's performance and behavior. In some cases, this check can be used to identify problems that the scanner encountered when crawling the target Web application.
ImpactThe scan diagnostics data provides technical details about the crawler's performance and behavior. This information does not necessarily imply problems with the Web application.
SolutionNo action is required.
Results
Loaded 0 blacklist entries.Loaded 0 whitelist entries.HTML form authentication unavailable, no WEBAPP entry foundNo more requeues, redundant link threshold has been surpassed.Collected 95 links overall.Path manipulation: Estimated requests (payloads x links): files with extension:(3 x 64) + files:(10 x 64) + directories:(91 x 8) + paths:(13 x 72) = total (2496) Batch #0 Path manipulation: estimated time < 10 minutes (117 tests, 72 inputs)Path manipulation: 117 vulnsigs tests, completed 1214 requests, 15 seconds. Completed 1214 requests of 2496 estimated requests (48.6378%). All tests completed.Batch #0 WS enumeration: estimated time < 1 minute (9 tests, 95 inputs)WS enumeration: 9 vulnsigs tests, completed 73 requests, 2 seconds. Completed 73 requests of 855 estimated requests (8.53801%). All tests completed.Batch #1 URI parameter manipulation (no auth): estimated time < 1 minute (47 tests, 17 inputs)Batch #1 URI parameter manipulation (no auth): 47 vulnsigs tests, completed 799 requests, 24 seconds. Completed 799 requests of 799 estimated requests (100%). All tests completed.Batch #1 Form parameter manipulation (no auth): estimated time < 1 minute (47 tests, 2 inputs)Batch #1 Form parameter manipulation (no auth): 47 vulnsigs tests, completed 547 requests, 30 seconds. Completed 547 requests of 94 estimated requests (581.915%). All tests completed.Batch #1 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 17 inputs)Batch #1 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 153 requests, 8 seconds. Completed 153 requests of 459 estimated requests (33.3333%). All tests completed.Batch #1 Form blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 2 inputs)Batch #1 Form blind SQL manipulation (no auth): 9 vulnsigs tests, completed 99 requests, 10 seconds. Completed 99 requests of 54 estimated requests (183.333%). All tests completed.Batch #1 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 17 inputs)Batch #1 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 187 requests, 14 seconds. Completed 187 requests of 187 estimated requests (100%). All tests completed.Batch #1 Form field time-based tests (no auth): estimated time < 1 minute (11 tests, 2 inputs)Batch #1 Form field time-based tests (no auth): 11 vulnsigs tests, completed 121 requests, 20 seconds. Completed 121 requests of 22 estimated requests (550%). All tests completed.Batch #2 URI parameter manipulation (no auth): estimated time < 1 minute (47 tests, 17 inputs)Batch #2 URI parameter manipulation (no auth): 47 vulnsigs tests, completed 799 requests, 23 seconds. Completed 799 requests of 799 estimated requests (100%). All tests completed.Batch #2 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 17 inputs)Batch #2 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 153 requests, 10 seconds. Completed 153 requests of 459 estimated requests (33.3333%). All tests completed.Batch #2 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 17 inputs)Batch #2 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 187 requests, 19 seconds. Completed 187 requests of 187 estimated requests (100%). All tests completed.Batch #3 URI parameter manipulation (no auth): estimated time < 1 minute (47 tests, 17 inputs)Batch #3 URI parameter manipulation (no auth): 47 vulnsigs tests, completed 844 requests, 22 seconds. Completed 844 requests of 799 estimated requests (105.632%). All tests completed.Batch #3 URI blind SQL manipulation (no auth): estimated time < 1 minute (9 tests, 17 inputs)Batch #3 URI blind SQL manipulation (no auth): 9 vulnsigs tests, completed 144 requests, 8 seconds. Completed 144 requests of 459 estimated requests (31.3725%). All tests completed.Batch #3 URI parameter time-based tests (no auth): estimated time < 1 minute (11 tests, 17 inputs)Batch #3 URI parameter time-based tests (no auth): 11 vulnsigs tests, completed 176 requests, 14 seconds. Completed 176 requests of 187 estimated requests (94.1176%). All tests completed.Batch #4 HTTP call manipulation: estimated time < 1 minute (33 tests, 6 inputs)Batch #4 HTTP call manipulation: 33 vulnsigs tests, completed 792 requests, 39 seconds. Completed 792 requests of 990 estimated requests (80%). All tests completed.Batch #4 Open Redirect analysis: estimated time < 1 minute (1 tests, 2 inputs)Batch #4 Open Redirect analysis: 1 vulnsigs tests, completed 2 requests, 4 seconds. Completed 2 requests of 2 estimated requests (100%). All tests completed.CSRF tests will not be launched because the scan is not successfully authenticated.Batch #4 File Inclusion analysis: estimated time < 1 minute (1 tests, 89 inputs)Batch #4 File Inclusion analysis: 1 vulnsigs tests, completed 42 requests, 4 seconds. Completed 42 requests of 89 estimated requests (47.191%). All tests completed.Batch #4 Cookie manipulation: estimated time < 10 minutes (37 tests, 3 inputs)Batch #4 Cookie manipulation: 37 vulnsigs tests, completed 6261 requests, 237 seconds. Completed 6261 requests of 9435 estimated requests (66.3593%). XSS optimization removed 1080 links. All tests completed.Batch #4 Header manipulation: estimated time < 10 minutes (37 tests, 85 inputs)Batch #4 Header manipulation: 37 vulnsigs tests, completed 2064 requests, 72 seconds. Completed 2064 requests of 6290 estimated requests (32.814%). XSS optimization removed 2040 links. All tests completed.Batch #4 shell shock detector: estimated time < 1 minute (1 tests, 83 inputs)Batch #4 shell shock detector: 1 vulnsigs tests, completed 84 requests, 3 seconds. Completed 84 requests of 83 estimated requests (101.205%). All tests completed.Batch #4 shell shock detector(form): estimated time < 1 minute (1 tests, 2 inputs)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Batch #4 shell shock detector(form): 1 vulnsigs tests, completed 2 requests, 1 seconds. Completed 2 requests of 2 estimated requests (100%). All tests completed.Batch #4 Login Brute Force manipulation: estimated time < 10 minutes (1914 tests, 1 inputs)Batch #4 Login Brute Force manipulation: 1914 vulnsigs tests, completed 234 requests, 535 seconds. Completed 234 requests of 1914 estimated requests (12.2257%). Module did not finish.Batch #5 HTTP Time Bandit: estimated time < 1 minute (1 tests, 10 inputs)Batch #5 HTTP Time Bandit: 1 vulnsigs tests, completed 180 requests, 12 seconds. No tests to execute.Total requests made: 15534Average server response time: 0.16 secondsMost recent links:200 http://demo.testfire.net/feedback.aspx200 http://demo.testfire.net/bank/login.aspx200 http://demo.testfire.net/default.aspx200 http://demo.testfire.net/default.aspx?content=business.htm200 http://demo.testfire.net/default.aspx?content=inside.htm200 http://demo.testfire.net/default.aspx?content=inside_contact.htm200 http://demo.testfire.net/default.aspx?content=personal.htm200 http://demo.testfire.net/default.aspx?content=personal_checking.htm200 http://demo.testfire.net/default.aspx?content=personal_deposit.htm200 http://demo.testfire.net/feedback.aspx
150028 Cookies Collected (1)
150028 Cookies Collected
Finding # 1362941(474978211) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe cookies listed in the Results section were received from the web application during the crawl phase.
ImpactCookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.
SolutionReview cookie values to ensure that sensitive information such as passwords are not present within them.
Results
Total cookies: 4ASP.NET_SessionId=vvdt2455rgmjcz312m2mamep; HttpOnly; path=/ First set at URL: http://demo.testfire.net/amSessionId=15130676; path=/ First set at URL: http://demo.testfire.net/TRACK=QlP7Myt3zfSMlSwEIh5I6dtyo; path=/ First set at URL: http://www.altoromutual.com/bug.aspxlang=; path=/ First set at URL: http://demo.testfire.net/bank/customize.aspx
150041 Links Rejected (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150041 Links Rejected
Finding # 1362949(474978219) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThis has an informative nature. The links listed below were not crawled by the Web application scanning engine because they were intentionally prohibited by a blacklist or whitelist configuration setting. The list is provided to verify that links have been correctly blocked by blacklist and whitelist filters.
ImpactLinks listed here were neither crawled or tested by the Web application scanning engine, and that should be in sync with the intended behavior.
SolutionNo action is required.
Results
http://demo.testfire.net/pr/communityannualreport.pdfhttp://demo.testfire.net/admin/clients.xls
150054 Email Addresses Collected (1)
150054 Email Addresses Collected
Finding # 1362934(474977204) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe email addresses listed in the Results section were collected from the returned HTML content during the crawl phase.
ImpactEmail addresses may help a malicious user with brute force and phishing attacks.
SolutionReview the email list to see if they are all email addresses you want to expose.
Results
Number of emails: [email protected] first seen at http://demo.testfire.net/security.htm
150058 Flash Analysis (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150058 Flash Analysis
Finding # 1362939(474977209) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThis check provides various details on Flash analysis including problems encountered while handling SWF files.
ImpactN/A
SolutionNo action is required.
Results
SWF file: http://demo.testfire.net/subscribe.swf Version: 6 Extracted links: 0
150087 Web Service Found (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150087 Web Service Found
Finding # 1362936(474977206) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe list of links with Web Service descriptions was found during the crawling or by brute forcing. List of Web Services is included with every discovered Web Service description.
ImpactN/A
SolutionN/A
Results
APIs from: http://demo.testfire.net/bank/ws.asmx?WSDL
GetUserAccountsIsValidUserTransferBalanceAPIs from: http://demo.testfire.net/bank/ws.asmx?wsdl
GetUserAccountsIsValidUserTransferBalance
150099 Cookies Issued Without User Consent (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150099 Cookies Issued Without User Consent
Finding # 1362943(474978213) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe cookies listed in the Results section were issued from the web application during the crawl without accepting any opt-in dialogs.
ImpactCookies may be set without user explicitly agreeing to accept them.
SolutionReview the application to ensure that all cookies listed are supposed to be issued without user opt-in. If the EU Cookie law is applicable for this web application, ensure these cookies require user opt-in or have been classified as exempt by your organization.
Results
Total cookies: 2ASP.NET_SessionId=g0jw2hjjeuutb4quvtaypneb; HttpOnly; path=/ First set at URL: http://demo.testfire.net/amSessionId=128739550; path=/ First set at URL: http://demo.testfire.net/
150101 Third-party Cookies Collected (1)
150101 Third-party Cookies Collected
Finding # 1362944(474978214) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe cookies listed in the Results section were received from third-party web application(s) during the crawl phase.
ImpactCookies may contain sensitive information about the user. Cookies sent via HTTP may be sniffed.
SolutionReview cookie values to ensure that sensitive information such as passwords are not present within them.
Results
Total cookies: 1TRACK=QlP7Myt3zfSMlSwEIh5I6dtyo; path=/ First set at URL: http://www.altoromutual.com/bug.aspx
150115 Authentication Form found (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150115 Authentication Form found
Finding # 1362933(474977203) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatAuthentication Form was found during the web application crawling.
ImpactN/A
SolutionN/A
Results
Authentication form found at: http://demo.testfire.net/bank/login.aspx Action uri: http://demo.testfire.net/bank/login.aspx Fields: uid, passw, btnSubmit
150126 Links With High Resource Consumption (1)
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
150126 Links With High Resource Consumption
Finding # 1362940(474978210) Detection Date 08 Oct 2015 10:10 GMT-0600
Group Information GatheredCWE -
OWASP -
WASC -
Details
ThreatThe list of links with lowest bytes/sec which are assumed to be resources with highest resource consumption. The links in the list have slower transfer times speeds to an average resource on the server. This may indicate that the links are more CPU or DB intensive than majority of links.
The latency of the network and file size have no effect on calculations.
ImpactThe links with high resource consumption could be used to perform DOS on the server by just performing GET Flooding. Attackers could more easily take the server down if there are huge resource hogs on it, performing less request.
SolutionFind the root cause of resources slow download speed.
If the cause is a real CPU strain or complex DB queries performed, there may be a need for re-engineering of the web application or defense measures should be in place. Examples of defense against DOS that is targeted towards high resource consumption links are Load Balancers and Rate Limiters.
Results
136036.200000 bytes/sec http://demo.testfire.net/bank/login.aspx141788.300000 bytes/sec http://demo.testfire.net/default.aspx?content=personal_checking.htm142133.000000 bytes/sec http://demo.testfire.net/default.aspx?content=business.htm143684.000000 bytes/sec http://demo.testfire.net/default.aspx?content=personal_deposit.htm148547.500000 bytes/sec http://demo.testfire.net/default.aspx?content=inside.htm149393.100000 bytes/sec http://demo.testfire.net/feedback.aspx150667.900000 bytes/sec http://demo.testfire.net/default.aspx?content=personal.htm155750.600000 bytes/sec http://demo.testfire.net/default.aspx177704.600000 bytes/sec http://demo.testfire.net/default.aspx?content=inside_contact.htm
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Appendix
Scan DetailsWeb Application Vulnerability Scan - Test Web Site 2 - 2015-10-08
Reference was/1444317019323.11273247
Date 08 Oct 2015 10:10 GMT-0600
Mode On-Demand
Type Vulnerability
Authentication None
Scanner Appliance External (IP: 64.39.105.57, Scanner: 7.16.38-1, WAS: 3.12.19-1, Signatures: 2.3.133-2)
Profile Standard Scan
Duration 00:23:31
Status Finished
Authentication Status None
Web Application Details: Test Web Site 2Name Test Web Site 2
URL http://demo.testfire.net/
Owner Tim LeKan (nrthw_tl)
Scope Limit to content located at or below URL subdirectory
Operating System Windows Vista / Windows 2008 / Windows 7 / Windows 2012
Severity LevelsConfirmed Vulnerabilities
Vulnerabilities (QIDs) are design flaws, programming errors, or mis-configurations that make your web application and web application platform susceptible to malicious attacks. Depending on the level of the security risk, the successful exploitation of a vulnerability can vary from the disclosure of information to a complete compromise of the web application and/or the web application platform. Even if the web application isn't fully compromised, an exploited vulnerability could still lead to the web application being used to launch attacks against users of the site.
Minimal Basic information disclosure (e.g. web server type, programming language) might enable intruders to discover other vulnerabilities, but lack of this information does not make the vulnerability harder to find.
Medium Intruders may be able to collect sensitive information about the application platform, such as the precise version of software used. With this information, intruders can easily exploit known vulnerabilities specific to software versions. Other types of sensitive information might disclose a few lines of source code or hidden directories.
Serious Vulnerabilities at this level typically disclose security-related information that could result in misuse or an exploit. Examples include source code disclosure or transmitting authentication credentials over non-encrypted channels.
Critical Intruders can exploit the vulnerability to gain highly sensitive content or affect other users of the web application. Examples include certain types of cross-site scripting and SQL injection attacks.
Urgent Intruders can exploit the vulnerability to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture.
Potential Vulnerabilities
Potential Vulnerabilities indicate that the scanner observed a weakness or error that is commonly used to attack a web application, and the scanner was unable to confirm if the weakness or error could be exploited. Where possible, the QID's description and results section include information and hints for following-up with manual analysis. For example, the exploitability of a QID may be influenced by characteristics that the scanner cannot confirm, such as the web application's network architecture, or the test to confirm exploitability requires more intrusive testing than the scanner is designed to conduct.
WAS Scan Report
CONFIDENTIAL AND PROPRIETARY INFORMATION. Qualys provides the QualysGuard Service "As Is," without any warranty of any kind. Qualys makes no warranty that the information contained in this report is complete or error-free. Copyright 2015, Qualys, Inc.
Minimal Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type, programming language) and might enable intruders to discover other vulnerabilities. For example in this scenario, information such as web server type, programming language, passwords or file path references can be disclosed.
Medium Presence of this vulnerability is indicative of basic information disclosure (e.g. web server type, programming language) and might enable intruders to discover other vulnerabilities. For example version of software or session data can be disclosed, which could be used to exploit.
Serious Presence of this vulnerability might give access to security-related information to intruders who are bound to misuse or exploit. Examples of what could happen if this vulnerability was exploited include bringing down the server or causing hindrance to the regular service.
Critical Presence of this vulnerability might give intruders the ability to gain highly sensitive content or affect other users of the web application.
Urgent Presence of this vulnerability might enable intruders to compromise the web application's data store, obtain information from other users' accounts, or obtain command execution on a host in the web application's architecture. For example in this scenario, the web application users can potentially be targeted if the application is exploited.
Sensitive Content
Sensitive content may be detected based on known patterns (credit card numbers, social security numbers) or custom patterns (strings, regular expressions), depending on the option profile used. Intruders may gain access to sensitive content that could result in misuse or other exploits.
Minimal Sensitive content was found in the web server response. During our scan of the site form(s) were found with field(s) for credit card number or social security number. This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.
Medium Sensitive content was found in the web server response. Specifically our service found a certain sensitive content pattern (defined in the option profile). This information disclosure could result in a confidentiality breach and could be a target for intruders. For this reason we recommend caution.
Serious Sensitive content was found in the web server response - a valid social security number or credit card information. This infomation disclosure could result in a confidentiality breach, and it gives intruders access to valid sensitive content that could be misused.
Information Gathered
Information Gathered issues (QIDs) include visible information about the web application's platform, code, or architecture. It may also include information about users of the web application.
Minimal Intruders may be able to retrieve sensitive information related to the web application platform.
Medium Intruders may be able to retrieve sensitive information related to internal functionality or business logic of the web application.
Serious Intruders may be able to detect highly sensitive data, such as personally identifiable information (PII) about other users of the web application.